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1 REMARKS 

2 These remarks follow the order of the paragraphs of the office action. Relevant portions of the 

3 office action are shown indented and italicized. 

4 Applicants request a review of the 'FINAL' status of the office communication, in so much that it 

5 is not the applicants' amendment that caused any further search. Porras and only Porras was used 

6 in the previous office communication. 

7 DETAILED A CTION 

8 Response to Amendment 

9 1. Applicant's amendments with respect to claims 1, 4,7, 10 and new claims 19 and 20 

10 filed 03/21/07 have been accepted. Therefore claims 1-20 are pending- The 

1 1 amendments however have introduced some claims objections. 

12 Claim Objections 

13 2 Claim 19 is objected to because of the following informalities: • Recitation of numeral 

14 2 after introducing claim 19 as a new claim. 

1 5 • Unnecessary usage of an open parenthesis at the end of the claim. 

16 Appropriate correction is required. 

17 In response, the applicants respectfully states that claim 19 is amended to overcome the claim 

18 objections. 

1 9 Response to Arguments 

20 3. Applicant's arguments filed 03 21/2007 have been fully considered but they are not 

2 1 persuasive. It is Applicant's primary assertions that Porras does not disclose monitoring 

22 in real time and does not use packet streams. The Examiner respectfully disagrees. 

23 Porras discloses real-time analysis of network packets as performed by service monitors 

24 (see column 3, lines 51 - 53). This analysis results in the stat ist ical profiling of events 

25 streams (see column 5, lines 46 - 50). Furthermore, in response to applicants argument 

26 that Porras is based on statistics, a recitation of the intended use of the claimed invention 

27 must result in a structural difference between the claimed invention and the prior art in 

28 order to patentably distinguish the claimed invention from the prior art. It the prior art 

29 structure is capable of performing the intended use, then it meets the claim. 
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1 In particular, it is Applicant 's argument that claim 1, Porras does not allude to "a 

2 communications sensor for receiving and monitoring in real time communications 

3 packets flowing at arbitrary points on a network, said communications being any of 

4 communications conducted via a host and communications conducted directly " or does 

5 not anticipate calculating formal similarity between two packet streams composed of 

6 communications packets entering the sensor upon arrival of the communications packets, 

7 and said sensor employing said formal similarity in detecting an intrusion. " Again 

8 Porras discloses dynamic deployment of network monitors that are responsible for real 

9 time surveillance of a network (see column 3, lines 41 - 63). The short and long term 

1 0 statistical profiles aid in the generation of a statistical score that represents the 

1 1 similarities between the identified network packet streams that were subjected to network 

12 surveillance, (see column 5, lines 46 - 50; column 6, lines 20 - 23). 



13 In response, the applicants respectfully states that exception is taken with the office 

14 communication statements in the above response to arguments. Firstly, Porras is based on 

15 building at least one long-term and a least one short-term statistical profile from a measure of the 

16 network packets that monitors data transfers, errors, or network connections. . A comparison of 

17 the statistical profiles is used to determine whether the difference between the statistical profiles 

18 indicates suspicious network activity. The invention claimed in claims 1-20 of the present 

19 application is not concerned with a comparison of anything long to anything short. 



20 The office communication states above: 

21 Porras discloses real-time analysis of network packets as performed by service monitors 

22 (see column 3, lines 51 - 53). This analysis results in the statistical profiling of events 

23 streams (see column 5, lines 46 - 50). 

24 Porras's monitoring may be in real time but there is indication, reason to believe, or anticipation of 

25 "monitoring in real time communications packets flowing at arbitrary points on a network," as in 

26 claims 1-20. 

27 The office communication states above: 

28 Furthermore, in response to applicants argument that Porras is based on statistics, a 

29 recitation of the intended use of the claimed invention must result in a structural 

30 difference between the claimed invention and the prior art in order to patentably 

3 1 distinguish the claimed invention from the prior art. It the prior art structure is capable 

32 of performing the intended use, then it meets the claim. 
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1 Applicants take exception with the above statement in an anticipation rejection.. Anticipation 

2 requires having each and every element of the rejected claim, which Porras does not. Besides, 

3 Porras's structure is one that necessitates and employs apparatus and/or steps for developing and 

4 using statistics. Thus, Porras's structure indeed is not "capable of performing the intended use," 

5 of claims 1-20 based on packet comparison of streams to obtain 'formal similarity' as defined in 

6 the present specification. 

7 The office communication states above: 



8 Again Porras discloses dynamic deployment of network monitors that are responsible for 

9 real time surveillance of a network (see column 3, lines 41 - 63). The short and long term 

10 statistical profiles aid in the generation of a statistical score that represents the 

1 1 similarities between the identified network packet streams that were subjected to network 

12 surveillance, (see column 5, lines 46 - 50; column 6, lines 20 - 23). 

13 This office communication statement gives some indication of what Porras does. It appears to be 

14 a clear admission that Porras does not teach claim 1. Claim 1 has nothing to do with: 

15 comparison of short and long term anything; 

16 statistical profiles of anything; 

17 generation any statistical score; 

1 8 any statistical similarities between packet streams; 

19 any network surveillance, short and long term statistical profiles; or 

20 aid in the generation of a statistical score that represents the similarities between the 

21 identified network packet streams that were subjected to network surveillance. 

22 Applicants still maintain arguments the office communication somewhat reproduced above: 

23 In particular, it is Applicant 's argument that claim 1, Porras does not allude to "a 

24 communications sensor for receiving and monitoring in real time communications 

25 packets flowing at arbitrary points on a network, said communications being any of 

26 communications conducted via a host and communications conducted directly" or does 

27 not anticipate calculating formal similarity between two packet streams composed of 

28 communications packets entering the sensor upon arrival of the communications packets, 

29 and said sensor employing said formal similarity in detecting an intrusion. " 

30 Applicants still maintain Porras does not teach or anticipate: 

3 1 doing anything at arbitrary points on a network. 
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1 receiving and monitoring in real time communications packets flowing at arbitrary points 

2 on a network. 

3 communications being any of communications conducted via a host and communications 

4 conducted directly; 

5 \ calculating formal similarity between anything; 

6 calculating formal similarity between two packet streams composed of communications 

7 packets entering the sensor upon arrival of the communications packets; 

8 employing said formal similarity for anything; or 

9 employing said formal similarity in detecting an intrusion. 

10 Thus, applicants' previous remarks stand. 

11 As for claim 2, it is Applicant's assertion that Porras does not anticipate Claim 2's 

12 limitation in regard to "two packet streams by graphs depicting amounts of data in 

13 communications packets in respective packet streams with respect to elapsed time, and 

14 calculates similarity between the two packet streams. Porras teaches surveillance of event 

1 5 streams which are derived of network packet observation and collection (see column 1, 

16 lines 51 - 53). Moreover, the short and long term profiles of Porras are equivalent to the 

17 graphs depicting data communications since the profiles consist of data communication 

18 information (see column 1, lines 53 - 61; column 2, lines 49-60). The functionality and 

1 9 purpose of the profiles are parallel to those of the graphs as taught in Applicant 's 

20 claimed invention. 

21 Applicant has presents similar arguments to those addressed in respect to claims 1 and 

22 2 and therefore the rejections of these claims are maintained for similar reasons. 

23 In response, the applicants respectfully states that exception is taken with the so called 

24 equivalence of Porras's profiles to graphs. 



25 The office communication states above: 



26 Porras teaches surveillance of event streams which are derived of network packet 

27 observation and collection (see column 1, lines 51 - 53). Moreover, the short and long 

28 term profiles of Porras are equivalent to the graphs depicting data communications since 

29 the profiles consist of data communication information (see column 1, lines 53 - 61; 

30 column 2, lines 49-60). 



3 1 Indeed, a review of the office communication's statement of Porras's "network packet observation 

32 and collection (see column 1, lines 51 - 53)" have no teaching of the elements of claim 2. 
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1 The further statement, "[M]oreover, the short and long term profiles of Porras are equivalent to 

2 the graphs depicting data communications since the profiles consist of data communication 

3 information (see column 1, lines 53 - 61; column 2, lines 49-60), is extremely not understood and 

4 traversed by the applicants. There is no such equivalence. Porras's profiles, not being graphic 

5 cannot be teaching any part of claim 2, and certainly not "calculates similarity between the two 

6 packet streams based on size of regions enclosed by the two graphs when the graphs of the packet 

7 streams are moved close to each other without intersecting each other." How do profiles move 

8 close to each other without intersecting each other?" Thus, the applicants' remarks in previous 

9 responses to claim 2 still stand. 



10 Indeed exception is taken with the office communication statement: 

1 1 The functionality and purpose of the profiles are parallel to those of the graphs as taught 

1 2 in Applicant 's claimed invention. 

13 There is indeed no similarity or parallel teaching in Porras and the graph of claim 2. 

14 Exception is also taken with the office communication statement: 

1 5 Applicant has presents similar arguments to those addressed in respect to claims 1 and 2 

16 and therefore the rejections of these claims are maintained for similar reasons. 

17 Indeed, it is unfortunate that the office communication does not address all the remaining 

18 arguments made previously for the remaining claims. However, as with claims 1 and 2, 

19 applicants' previous remarks stand. 

20 Claim Rejections - 35 USC §102 

21 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form 

22 the basis for the rejections under this section made in this Office action: 

23 A person shall be entitled to a patent unless - 

24 (a) the invention was described in a patent granted on an application for patent by 

25 another filed in the United States before the invention Thereof by the applicant for 

26 patent, or on an international application by another who has fulfilled the requirements 

27 of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention thereof 

28 by the applicant for patent. 

29 The changes made to 35 U.S. C. 102(e) by the American Inventors Protection Act of 

30 1999 (AIPA). and the Intellectual Property and High Technology Technical Amendments 

3 1 Act of 2002 do not apply when the reference is a U.S. patent resulting directly or 

32 indirectly from an international application filed before November 29, 2000. Therefore, 
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1 the prior art date of the reference is determined under 35 USC: 102(e) prior to the 

2 amendment by the AIPA (pre-AIPA 35 U.S.C. 102(e)). 

3 4. Claims 1-20 are rejected under 36 U.S.C. 102(e) as being anticipated by Porras et 

4 al. in US Patent No. 6711615 (hereinafter US 615). 

5 In response, the applicant respectfully states that Claims 1 -20 are apparently not anticipated by 

6 the invention of Porras. The present invention, claimed in Claims 1-20, provides: 

7 "Systems, apparatus and methods to monitor communications conducted via a host 

8 computer placed under the management of security measures such as firewalls or routers' 

9 filtering capabilities. A communications monitoring system which includes a packet input 

10 means for connecting to predetermined points on a network via a network interface and 

1 1 receiving communications packets flowing at the points; and matching means for 

12 performing real-time matching between two packet streams composed of received 

13 communications packets each time a communications packet is received. If the two 

14 packet streams are highly similar, it is highly likely that an attack or intrusion is being 

1 5 made and an alert is issued. " 



16 Thus the invention claimed in claims 1-20 are concerned with "performing real-time matching 

17 between two packet streams composed of received communications packets each time a 

18 communications packet is received." 



19 Whereas, the cited art to Porras, US Patent 6,71 1,615, filed: September 25, 2002, is entitled: 

20 "Network surveillance". The Porras abstract reads: 

21 "A method of network surveillance includes receiving network packets handled by a 

22 network entity and building at least one long-term and a least one short-term statistical 

23 profile from a measure of the network packets that monitors data transfers, errors, or 

24 network connections. A comparison of the statistical profiles is used to determine whether 

25 the difference between the statistical profiles indicates suspicious network activity". 

26 Porras is concerned with a "comparison of the statistical profiles," not with packet stream 

27 comparison. Thus claims 1-20 are allowable over Porras. 
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1 5. As for claim 1, US 615 discloses: A communications monitoring system comprising: 

2 a communications sensor for receiving and monitoring in real time communications 

3 packets flowing at arbitrary points on a network, said communications being any of 

4 communications conducted via a host and communications conducted directly; and a 

5 similarity calculator for calculating formal similarity between two packet streams 

6 composed of communications packets entering the sensor upon arrival of the 

7 communications packets and said sensor employing said formal similarity in detecting an 

8 intrusion, (see column 1. line 52, 56 - 61; column 5, lines 46 - 50,58 - 61; Abstract). 

9 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

10 of the element of claim 1 and Porras. Claim 1 as amended reads: 

11 1 . A communications monitoring system comprising: 

12 a communications sensor for receiving and monitoring in real time communications 

13 packets flowing at arbitrary points on a network, said communications being any of 

14 communications conducted via a host and communications conducted directly; and 

15 a similarity calculator for calculating formal similarity between two packet streams of 

16 similar duration composed of communications packets entering the sensor upon arrival of 

17 the communications packets, and said sensor employing said formal similarity in detecting 

18 an intrusion. 

19 Thus claim 1 is a communications monitoring system monitoring in real time communications 

20 packets flowing at arbitrary points on a network.. Porras is not real time monitoring. Porras is 

21 certainly not concerned with any formal similarity between two packet streams of similar duration. 

22 As stated above Claim 1 has nothing to do with: 

23 comparison of short and long term anything; 

24 statistical profiles of anything; 

25 generation any statistical score; 

26 any statistical similarities between packet streams; 

27 any network surveillance of short and long term statistical profiles; or 
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1 aid in the generation of a statistical score that represents the similarities between the 

2 identified network packet streams that were subjected to network surveillance, as in Porras. 

3 Applicants maintain Porras does not teach, have structure for or anticipate: 

4 doing anything at arbitrary points on a network; 

5 doing anything with packet streams of similar duration; 

6 calculating any formal similarity; 

7 any similarity between two packet streams of similar duration; 

8 receiving and monitoring in real time communications packets flowing at arbitrary points 

9 on a network; 

10 communications being any of communications conducted via a host and communications 

1 1 conducted directly; 

12 \ calculating formal similarity between anything; 

13 calculating formal similarity between two packet streams composed of communications 

14 packets entering the sensor upon arrival of the communications packets; 

1 5 employing said formal similarity for anything; or 

16 employing said formal similarity in detecting an intrusion. 

17 The referenced portions of Porras column 1, Line 52, 56 - 61; column 5, lines 46-50, 58-61; 

1 8 Abstract) read as follows: . 

19 column 1, Line 52, 56 - 61 reads: 

20 In general, in one aspect, a method of network surveillance includes receiving network packets 

21 (e.g., TCP/IP packets) handled by a network entity and building at least one long-term and at least 

22 one short-term statistical profile from at least one measure of the network packets that monitors 

23 data transfers, errors, or network connections. A comparison of at least one long-term and at least 

24 one short-term statistical profile is used to determine whether the difference between the 

25 short-term statistical profile and the long-term statistical profile indicates suspicious network 

26 activity. 

27 Thus Porras is "building at least one long-term and at least one short-term statistical profile," and 

28 performs "comparison of at least one long-term and at least one short-term statistical profile," and 

29 determines whether the "difference between the short-term statistical profile and the long-term 

30 statistical profile indicates suspicious network activity." This has no likeness to claim 1, which is 



DOCKET NUMBER: JP920020149US1 



16/31 



Serial No.: 10/672,342 



1 monitoring "in real time" and does "calculating formal similarity between two packet streams. 

2 Claim 1 is a packet stream-to packet stream comparison. There is no statistics used in claim 1 . 



3 Porras doesn't allude to or anticipate "communications being any of communications conducted 

4 via a host and communications conducted directly." Porras doesn't allude to or anticipate 

5 "calculating formal similarity between two packet streams." Porras doesn't allude to or anticipate 

6 "a communications sensor for receiving and monitoring in real time communications packets 



7 flowing at arbitrary points on a network, said communications being any of communications 

8 conducted via a host and communications conducted directly." Porras doesn't allude to or 

9 anticipate "calculating formal similarity between two packet streams composed of 

10 communications packets entering the sensor upon arrival of the communications packets, and said 

1 1 sensor employing said formal similarity in detecting an intrusion. Thus Porras doesn't anticipate 

12 claim 1, and claim 1 and claims 2 and 3 that depend on it are allowable. 



13 For claim 2, US '615 discloses: The communications monitoring system according to 

14 claim 1, wherein the similarity calculator represents the two packet streams by graphs 

1 5 depicting amounts of data in communications packets in respective packet streams with 

16 respect to elapsed time, and calculates similarity between the two packet streams based 

1 7 on size of regions enclosed by the two graphs when the graphs of the packet streams are 

18 moved close to each oilier without intersecting each other (see column 6 lines 7 - 15). 



19 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

20 of the element of claim 2 and Porras. Claim 2 is in regard to "two packet streams by graphs 

21 depicting amounts of data in communications packets in respective packet streams with respect to 

22 elapsed time, and calculates similarity between the two packet streams." Porras is based on 

23 statistics, and does not use and is not based on packet streams. 

24 Exception is taken with the so called equivalence of Porras's profiles to graphs. Indeed, a review 

25 of the office communication's statement of Porras's "network packet observation and collection 

26 (see column 1, lines 51 - 53)" have no teaching of the elements of claim 2. 



DOCKET NUMBER: JP920020149US1 



17/31 



Serial No.: 10/672,342 



1 The further office communication statement, "[MJoreover, the short and long term profiles of 

2 Porras are equivalent to the graphs depicting data communications since the profiles consist of 

3 data communication information (see column 1, lines 53 - 61; column 2, lines 49-60), is extremely 

4 not understood and traversed by the applicants. There is no such equivalence. Porras's profiles, 

5 not being graphic cannot be teaching any part of claim 2, and certainly not "calculates similarity 

6 between the two packet streams based on size of regions enclosed by the two graphs when the 

7 graphs of the packet streams are moved close to each other without intersecting each other." 

8 How do profiles move close to each other without intersecting each other?" There is indeed no 

9 similarity or parallel teaching in Porras and the graph of claim 2. 



10 Thus Porras doesn't anticipate claim 2, and claim 2 is allowable over Porras for itself and because 

1 1 it depends on an allowable claim. 

12 For claim 3 US '615 discloses: The communications monitoring system according to 

13 claim 1, wherein the communications sensor sends out a predetermined alert according 

14 to a similarity value calculated by the similarity calculator, (see column 4, lines 64 - 66; 

15 column 8, lines 23-39, 57 - column 9, lines 1 - 5). 

16 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

17 of the element of claim 3 and Porras. The referenced portions of Porras column 4 lines 64-68; 

18 column 8, lines 23-39. 57 - column 9, lines 1 -5) read as follows: 

19 column 4 lines 64-68 

20 Referring to FIG. 2, each monitor 16 includes one or more analysis engines 22, 24. These engines 

21 22, 24 can be dynamically added, deleted, and modified as necessary. In the dual-analysis 

22 configuration shown, a monitor 16 instantiation includes a signature analysis engine 22 and a 

23 statistical profiling engine 24. In general, a monitor 16 may include additional analysis engines that 

24 may implement other forms of analysis. A monitor 16 also includes a resolver 20 that implements 

25 a response policy and a resource object 32 that configures the monitor 16. The monitors 16 

26 incorporate an application programmers' interface (API) that enhances encapsulation of monitor 

27 functions and eases integration of third-party intrusion-detection tools 28, 30. 

28 column 8, lines 23-39, 

29 The analysis engines 22, 24 receive large volumes of events and produce smaller volumes of 

30 intrusion or suspicion reports that are then fed to the resolver 20. The resolver 20 is an expert 

3 1 system that receives the intrusion and suspicion reports produced by the analysis engines 22, 24 

32 and reports produced externally by other analysis engines to which it subscribes. Based on these 
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1 reports, the resolver 20 invokes responses. Because the volume of intrusion and suspicion reports 

2 is lower than the volume of events received by the analysis engines 22, 24, the resolver 20 can 

3 afford the more sophisticated demands of configuration maintenance and managing the response 

4 handling and external interfaces necessary for monitor operation. Furthermore, the resolver 20 

5 adds to extensibility by providing the subscription interface through which third-party analysis 

6 tools 28, 30 can interact and participate in the hierarchical analysis scheme. 

7 57 

8 In addition to external-interface responsibilities, the resolver 20 operates as a fully functional 

9 decision engine, capable of invoking real-time response measures in response to malicious or 

10 anomalous activity reports produced by the analysis engines. The resolver 20 also operates as the 

1 1 center of intramonitor communication. As the analysis engines 22, 24 build intrusion and 

12 suspicion reports, they propagate these reports to the resolver 20 for further correlation, 

13 response, and dissemination to other monitors 16a-16f. The resolver 20 can also submit runtime 

14 configuration requests to the analysis engines 22, 24, for example, to increase or decrease the 

15 scope of analyses (e.g., enable or disable additional signature rules) based on various operating 

16 metrics. These configuration requests could be made as a result of encountering other intrusion 

17 reports from other subscribers. For example, a report produced by a service monitor 16a- 16c in 

18 one domain could be propagated to an enterprise monitor 16f, which in turn sensitizes service 

19 monitors in other domains to the same activity. 

20 These are not concerned with claim 3 based on packet streams. Porras is based on statistics, and 

21 does not use and is not based on packet streams of the same duration. Thus Porras doesn't 

22 anticipate claim 3, and claim 3 is allowable over Porras for itself and because it depends on an 

23 allowable claim. 



24 As for claim 4 US '615 discloses: A communications monitoring system comprising: a 

25 packet input means for receiving communications packets flowing at arbitrary points on 

26 a network, said communications being any of communications conducted via a host and 

27 communications conducted directly; and matching means for performing real-time 

28 matching between two packet streams composed of communications packets received by 

29 the packet input means and employing said real-time matching in detecting an intrusion. 

30 (see column 1, line 52, 56 - 61; column 5, lines 46 - 50, 58 - 61: Abstract). 



3 1 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

32 of the element of claim 4 and Porras. Claim 4 is a communications monitoring system monitoring 

33 in real time communications packets flowing at arbitrary points on a network.. Porras is not real 

34 time monitoring. 
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1 The referenced portion of Porras are not concerned with anything at arbitrary points as in the 

2 elements of claim 4. These Porras portions column 1, line 52, 56- 61; column 5, lines 46 -50, 58 - 

3 61; Abstract) read as above and as follows. 

4 column 1, Line 52, 56 - 61 

5 In general, in one aspect, a method of network surveillance includes receiving network packets 

6 (e.g., TCP/IP packets) handled by a network entity and building at least one long-term and at least 

7 one short-term statistical profile from at least one measure of the network packets that monitors 

8 data transfers, errors, or network connections. A comparison of at least one long-term and at least 

9 one short-term statistical profile is used to determine whether the difference between the 

10 short-term statistical profile and the long-term statistical profile indicates suspicious network 

1 1 activity. 

12 Embodiments may include one or more of the following features. The measure may monitor data 

13 transfers by monitoring network packet data transfer commands, data transfer errors, and/or 

14 monitoring network packet data transfer volume. The measure may monitor network connections 

15 by monitoring network connection requests, network connection denials, and/or a correlation of 

16 network connections requests and network connection denials. The measure may monitor errors 

17 by monitoring error codes included in a network packet such as privilege error codes and/or error 

18 codes indicating a reason a packet was rejected. 

19 column 5, lines 46-50, 58-61 

20 The profile engine 22 can use a wide range of multivariate statistical measures to profile network 

21 activity indicated by an event stream. A statistical score represents how closely currently observed 

22 usage corresponds to the established patterns of usage. The profiler engine 22 separates profile 

23 management and the mathematical algorithms used to assess the anomaly of events. The profile 

24 engine 22 may use a statistical analysis technique described in A. Valdes and D. Anderson, 

25 "Statistical Methods for Computer Usage Anomaly Detection Using NIDES", Proceedings of the 

26 Third International Workshop on Rough Sets and Soft Computing, January 1995, which is 

27 incorporated by reference in its entirety. Such an engine 22 can profile network activity via one or 

28 more variables called measures. Measures can be categorized into four classes: categorical, 

29 continuous, intensity, and event distribution measures. 

30 Categorical measures assume values from a discrete, nonordered set of possibilities. Examples of 

3 1 categorical measures include network source and destination addresses, commands (e.g., 

32 commands that control data transfer and manage network connections), protocols, error codes 

33 (e.g., privilege violations, malformed service requests, and malformed packet codes), and port 

34 identifiers. The profiler engine 22 can build empirical distributions of the category values 

35 encountered, even if the list of possible values is open-ended. The engine 22 can have mechanisms 

36 for "aging out" categories whose long-term probabilities drop below a threshold. 

37 Thus claim 4 is a communications monitoring system monitoring in real time communications 

38 packets flowing at arbitrary points on a network. Porras is not real time monitoring of arbitrary 
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1 points. Porras is based on packet statistics. Porras doesn't allude to or anticipate 

2 "communications being any of communications conducted via a host and communications 

3 conducted directly." Porras doesn't allude to or anticipate "packet streams." Porras doesn't 

4 allude to or anticipate "performing real-time matching between two packet streams composed of 

5 communications packets received by the packet input means." Porras doesn't allude to or 

6 anticipate "employing said real-time matching in detecting an intrusion." Thus Porras doesn't 

7 anticipate claim 4, and claim 4 and claims 5 and 6 that depend on it are allowable. 



8 For claim 5, US '615 discloses: The communications monitoring system according to 

9 claim 4, wherein the matching means determines formal similarity between the two 

10 packet streams based on a time lag between each corresponding pair of communications 

1 1 packets in the two packet streams, (see column 6, lines 7 - 15). 



12 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

13 of the element of claim 5 and Porras. Porras is not concerned with matching packet streams. 

14 Porras is based on long and short term statistics. Porras fails to show matching means determines 

15 formal similarity between the two packet streams based on a time lag between each corresponding 

16 pair of communications packets in the two packet streams. Claim 5 is amended and includes 



17 "formal similarity between the two packet streams being similar in an amount of data and 

1 8 transmission interval of packets irrespective of data content and is determined based on a time lag 

19 between each corresponding pair of communications packets in the two packet streams." There is 

20 no such teaching in Porras. Thus Porras doesn't anticipate claim 5, and claim 5 is allowable over 

21 Porras for itself and because it depends on an allowable claim. 

22 For claim 6, US '615 discloses: The communications monitoring system according to 

23 claim 5, further comprising alerting means for sending out a predetermined alert 

24 according to the formal similarity between the two packet streams determined by the 

25 matching means, (see column 4, lines 64 - 66; column 8, lines 23-39, 57 - column 9, 

26 lines 1 - 5). 



DOCKET NUMBER: JP920020149US1 



21/31 



Serial No.: 10/672,342 



1 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

2 of the element of claim 6 and Porras. Referenced portions of Porras are not concerned with 

3 Claim 6. Porras column 4, lines 64-86; column 8, Lines 23- 39, 57 -column 9, lines 1 -5) read: 



4 column 4 lines 64-68 

5 Referring to FIG. 2, each monitor 16 includes one or more analysis engines 22, 24. These engines 

6 22, 24 can be dynamically added, deleted, and modified as necessary. In the dual-analysis 

7 configuration shown, a monitor 16 instantiation includes a signature analysis engine 22 and a 

8 statistical profiling engine 24. In general, a monitor 16 may include additional analysis engines that 

9 may implement other forms of analysis. A monitor 16 also includes a resolver 20 that implements 

10 a response policy and a resource object 32 that configures the monitor 16. The monitors 16 

1 1 incorporate an application programmers' interface (API) that enhances encapsulation of monitor 

12 functions and eases integration of third-party intrusion-detection tools 28, 30. 

13 In addition to external-interface responsibilities, the resolver 20 operates as a fully functional 

14 decision engine, capable of invoking real-time response measures in response to malicious or 

15 anomalous activity reports produced by the analysis engines. The resolver 20 also operates as the 

16 center of intramonitor communication. As the analysis engines 22, 24 build intrusion and 

17 suspicion reports, they propagate these reports to the resolver 20 for further correlation, 

18 response, and dissemination to other monitors 1 6a- 1 6f. The resolver 20 can also submit runtime 

19 configuration requests to the analysis engines 22, 24, for example, to increase or decrease the 

20 scope of analyses (e.g., enable or disable additional signature rules) based on various operating 

21 metrics. These configuration requests could be made as a result of encountering other intrusion 

22 reports from other subscribers. For example, a report produced by a service monitor 16a- 16c in 

23 one domain could be propagated to an enterprise monitor 16f, which in turn sensitizes service 

24 monitors in other domains to the same activity. 

25 This is not claim 6's "alerting means for sending out a predetermined alert according to the formal 

26 similarity between the two packet streams determined by the matching means." Thus Porras 

27 doesn't anticipate claim 6, and claim 6 is allowable over Porras for itself and because it depends 

28 on an allowable claim. 



29 As for claim 7, US '615 discloses: A communications monitoring method for monitoring 

30 data communications using a computer, comprising the steps of: acquiring in real time 

3 1 communications packets in sequence from arbitrary points on a network and storing them 

32 in predetermined storage means together with information about a packet stream to 

33 which the communications packets belong, said communications being any of 

34 communications conducted via a host and communications conducted directly; on 

35 reception of a predetermined communication packet, taking another communications 

36 packet received within a predetermined time before acquiring a predetermined 

37 communications packet, out of the storage means; determining formal similarity between 

38 the first packet stream which contains up to the acquired communications packet and a 
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1 second packet stream to which the communications packet taken out of the storage means 

2 belong: and sending out a predetermined alert according to the determined similarity. 

3 (see column 1, line 52, 56 - 61; column 5, lines 46 - 50, 58 - 61; Abstract). 

4 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

5 of the element of claim 7 and Porras. Claim 7 is amended to read: 

6 7. (Currently amended) A communications monitoring method for monitoring data 

7 communications using a computer, comprising the steps of: 

8 acquiring in real time communications packets in sequence from arbitrary points on a 

9 network and storing them in predetermined storage means together with information 

10 about a packet stream to which the communications packets belong, said communications 

1 1 being any of communications conducted via a host and communications conducted 

12 directly; 

13 on reception of a predetermined communication packet, taking another communications 

14 packet received within a predetermined time before acquiring a predetermined 

15 communications packet, out of the storage means; 

16 determining formal similarity between the first packet stream which contains up to the 

17 acquired communications packet and a second packet stream to which the 

1 8 communications packet taken out of the storage means belong; and 

19 sending out a predetermined alert according to the determined similarity. 
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1 Porras is not concerned with matching packet streams. Porras is based on long and short term 

2 statistics. Porras fails to show "formal similarity between the first packet stream." 

3 Porras doesn't allude to or anticipate "acquiring in real time communications packets in 

4 sequence." 

5 Porras doesn't allude to or anticipate first and second packet streams "being of similar duration of 

6 said first packet stream. 

7 Porras doesn't allude to or anticipate storing "in predetermined storage means together with 

8 information about a packet stream to which the communications packets belong." 

9 Porras doesn't allude to or anticipate "communications being any of communications conducted 

10 via a host and communications conducted directly. 

1 1 Porras doesn't allude to or anticipate "reception of a predetermined communication packet, taking 

12 another communications packet received within a predetermined time before acquiring a 

13 predetermined communications packet, out of the storage means." 

14 Porras doesn't allude to or anticipate "determining formal similarity between the first packet 

15 stream which contains up to the acquired communications packet and a second packet stream to 

16 which the communications packet taken out of the storage means belong." 

17 Porras doesn't allude to or anticipate "sending out a predetermined alert according to the 

1 8 determined similarity. " 

19 Thus Porras doesn't anticipate claim 7, and claim 7 and claims 8 and 9 that depend on it are 

20 allowable. 
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1 For claim 8, US '615 teaches: The communications monitoring method according to 

2 claim 7, wherein in the step of determining the formal similarity of packet streams, the 

3 formal similarity between the two packet streams is determined based on a time lag 

4 between each corresponding pair of communications packets in the two packet streams. 

5 (see column 6, lines 7 - 15). 



6 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

7 of the element of claim 9 and Porras. Porras column 6 Lines 7-15 portion reads as follows: 



8 column 6 Lines 7-15 

9 Continuous measures assume values from a continuous or ordinal set. Examples include 

10 inter-event time (e.g., difference in time stamps between consecutive events from the same 

1 1 stream), counting measures such as the number of errors of a particular type observed in the 

12 recent past, the volume of data transfers over a period of time, and network traffic measures 

13 (number of packets and number of kilobytes). The profiler engine 22 treats continuous measures 

14 by first allocating bins appropriate to the range of values of the underlying measure, and then 

15 tracking the frequency of observation of each value range. In this way, multi-modal distributions 

16 are accommodated and much of the computational machinery used for categorical measures is 

17 shared. Continuous measures are useful not only for intrusion detection, but also to support the 

18 monitoring of the health and status of the network from the perspective of connectivity and 

19 throughput. For example, a measure of traffic volume maintained can detect an abnormal loss in 

20 the data rate of received packets when this volume falls outside historical norms. This sudden 

21 drop can be specific both to the network entity being monitored and to the time of day (e.g., the 

22 average sustained traffic rate for a major network artery is much different at 1 1 :00 a.m. than at 

23 midnight). 

24 This is not relevant to or teach elements Claim 8. Porras is not concerned with matching packet 

25 streams. Porras is based on long and short term statistics. Porras fails to show matching means 

26 determines formal similarity between the two packet streams based on a time lag between each 

27 corresponding pair of communications packets in the two packet streams. Thus Porras doesn't 

28 anticipate claim 8, and claim 8 is allowable over Porras for itself and because it depends on an 

29 allowable claim. 



30 For claim 9, US '615 teaches: The communications monitoring method according to 

3 1 claim 7, further comprising a step of discarding information used in determining the 

32 similarity of second packet streams except the second packet stream determined to be 

33 most similar to the first packet stream, (see column 6, lines 7 - 15; column 8, lines 23 - 

34 39. 57 - column 9, lines 1 - 5). 
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1 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

2 of the element of claim 9 and Porras. A review of the referenced portions of Porras show that 

3 Porras is not concerned with Claim 9. Porras is not concerned with "discarding information used 

4 in determining the similarity of second packet streams except the second packet stream 

5 determined to. be most similar to the first packet stream." Thus Porras doesn't anticipate claim 9, 

6 and claim 9 is allowable over Porras for itself and because it depends on an allowable claim. 



7 As for claim 10 US '615 teaches: An information processing method comprising 

8 comparing two packet streams flowing in real time on a network, the step of comparing 

9 comprising the steps of acquiring communications packets in sequence from arbitrary 

1 0 points on a network and storing them in predetermined storage means together with 

1 1 information about a packet stream to which the communications packets belong, said 

12 communications packets being in any of communications conducted via a host and 

13 communications conducted directly; on reception of a predetermined communication 

14 packet, taking another communications packet received within a predetermined time 

15 before acquiring a predetermined communications packet, out of the storage means; and 

16 performing matching between the first packet stream which contains up to the acquired 

17 communications packet and a second packet stream to which the communications packet 

18 taken out of the storage means belong, (see column 1, line 52, 56 - 61; column 5,. lines 

19 46-50, 58-61; Abstract). 

20 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

21 of the element of claim 10 and Porras. Claim 10 reads 

22 10. An information processing method comprising comparing two packet streams flowing 

23 in real time on a network, the step of comparing comprising the steps of: 



24 acquiring communications packets in sequence from arbitrary points on a network and 

25 storing them in predetermined storage means together with information about a packet 

26 stream to which the communications packets belong, said communications packets being 

27 in any of communications conducted via a host and communications conducted directly; 
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1 



on reception of a predetermined communication packet, taking another communications 



2 



packet received within a predetermined time before acquiring a predetermined 



3 



communications packet, out of the storage means; and 



4 



performing matching between the first packet stream which contains up to the acquired 



5 



communications packet and a second packet stream to which the communications packet 



6 



taken out of the storage means belong. 



7 As with independent claims 1, 4 and 7, claim 1 0 is not anticipated by Porras. Porras is based on 

8 statistics. Thus, Porras doesn't allude to or anticipate "comparing two packet streams." Porras 

9 doesn't allude to or anticipate these "flowing in real time on a network. 

10 Porras doesn't allude to or anticipate "acquiring communications packets in sequence from 

1 1 arbitrary points on a network and storing them in predetermined storage means together with 

12 information about a packet stream to which the communications packets belong." 

13 Porras doesn't allude to or anticipate "packets being in any of communications conducted via a 

14 host and communications conducted directly." 

15 Porras doesn't allude to or anticipate "reception of a predetermined communication packet, taking 

16 another communications packet received within a predetermined time before acquiring a 

17 predetermined communications packet, out of the storage means." 
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1 Porras doesn't allude to or anticipate "performing matching between the first packet stream which 

2 contains up to the acquired communications packet and a second packet stream to which the 

3 communications packet taken out of the storage means belong. " 

4 Porras doesn't allude to or anticipate a "second packet stream being of similar duration of said 

5 first packet stream. 

6 Thus, Porras doesn't anticipate claim 10, and claims 1 1 and 12 are allowable over Porras each for 

7 itself and/or because it depends on an allowable claim. 

8 For claim 11, US '615 teaches: The information processing method according to claim 

9 10, wherein in the step of performing matching between the packet streams, the first and 

1 0 second packet streams are represented by graphs which depict increments of sequence 

1 1 numbers of communications packets in respective packet streams with respect to elapsed 

12 time and the similarity between the two packet streams is calculated based on size of 

13 regions enclosed by the two graphs when the graphs of the packet streams are moved 

14 close to each other without intersecting each other, (see column 6, lines 7 - 15). 

15 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

16 of the element of claim 1 1 and Porras. A review of the copied portions of Porras show that Claim 

17 1 1 is not anticipated by Porras and is allowable over Porras for itself and because it depends on an 

18 allowable claim. 

19 For claim 12, US '615 teaches: The information processing method according to claim 

20 77, wherein in the step of calculating the similarity between the packet streams, 

21 information used n determining the similarity is discarded according to time-axis lengths 

22 of the regions enclosed by the two graphs, (see column 6, lines 7 - 15; column 8, lines 23 

23 -39.57- column 9, lines 1-5). 

24 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

25 of the element of claim 12 and Porras. A review of the copied portions of Porras show that Claim 
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1 12 is not anticipated by Porras and is allowable over Porras for itself and because it depends on an 

2 allowable claim. 

3 For claim 13, US 615 teaches: An article of manufacture comprising a computer usable 

4 medium having computer readable program code means embodied therein for causing 

5 communications monitoring, the computer readable program code means in said article 

6 of manufacture comprising computer readable program code means for causing a 

7 computer to effect the steps of claim 7. (see Figure 6). 

8 For claim 14, US '615 teaches: A program storage device readable by machine, 

9 tangibly embodying a program of instructions executable by the machine to perform 

10 method steps for communications monitoring, said method steps comprising the steps of 

1 1 claim 7. (see Figure 6). 

12 For claim 15, US '615 teaches: An article of manufacture comprising a computer 

13 usable medium having computer readable program code means embodied therein for 

14 causing information processing, the computer readable program code means in said 

1 5 article of manufacture comprising computer readable program code means for causing a 

16 computer to effect the steps of claim 10. (see Figure 6). 

17 For claim 16, US 615 teaches: A program storage device readable by machine, tangibly 

1 8 embodying a program of instructions executable by the machine to perform method steps 

19 for information processing, said method steps comprising the steps of claim 10. (see 

20 Figure 6). 

21 For claim 17, US '615 teaches: A computer program product comprising a computer 

22 usable medium having computer readable program code means embodied therein for 

23 causing communications monitoring, the computer readable program code means in said 

24 computer program product comprising computer readable program code means for 

25 causing a computer to effect the functions of claim 1. (see column 2, lines 32 - 36; Figure 

26 6). 

27 For claim 18, US '615 teaches: A computer program product comprising a computer 

28 usable medium having computer readable program code means embodied therein for 

29 causing communications monitoring, the computer readable program code means in said 

30 computer program product comprising computer readable program code means for 

3 1 causing a computer to effect the functions of claim 4. (see column 2, lines 32 - 36; Figure 

32 6). 



33 In response, the applicants respectfully states that exception is taken with the alleged equivalence 

34 of the element of claims 13- 18 and Porras. Claims 13-18 are computer and Beauregard claims 
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1 not anticipated by Porras. Thus Porras doesn't anticipate claims 13-18 which are allowable over 

2 Porras each for itself and because it depends on an allowable claim. 



12 In response, the applicants respectfully states that as was shown for claims 1 and 2, Porras indeed 

13 fails to teach "the communications monitoring system according to Claim 1 ." A review of Porras 

14 column 6, lines 7-15, shows that Porras fails to teach or anticipate any graph, any formal 

15 similarity, any calculation of a formal similarity, and certainly fails to teach "wherein the 

16 communications sensor sends out a predetermined alert according to a similarity value calculated 

17 by the similarity calculator in Porras column 4, lines 64 - 66; column 8, lines 23 - 39, 57 - column 

18 9, lines 1 -5. 

19 Thus, Claim 19 is not anticipated by Porras and is allowable over Porras for itself and because it 

20 depends on an allowable claim. 

21 For claim 20, US 615 teaches: The information processing method according to Claim 

22 10, wherein in the step of performing matching between the packet streams, the first and 

23 second packet streams are represented by graphs which depict increments of sequence 

24 numbers of communications packets in respective packet streams with respect to elapsed 

25 time and the similarity between the two packet streams is calculated based on size of 

26 regions enclosed by the two graphs when the graphs of the packet streams are moved 

27 close to each other without intersecting each other, (see column 6, lines 7 - 15) and 

28 wherein in the step of calculating the similarity between the packet streams, information 

29 used in determining the similarity is discarded according to time-axis lengths of the 

30 regions enclosed by the two graphs (see column 6, lines 7 -15; column 8, lines 23 -39,57 
3 1 - column 9, lines 1 - 5). 

32 In response, the applicants respectfully states that as was shown for claims 1 and 2, Porras indeed 

33 fails to teach "the information processing method according to Claim 10." A review of Porras 
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For claim 19, US '6 J 5 teaches: the communications monitoring system according to 
Claim 1, wherein the similarity calculator represents the two packet streams by graphs 
depicting amounts of data in communications packets in respective packet streams with 
respect to elapsed time, and calculates similarity between the two packet streams based 
on size of regions enclosed by the two graphs when the graphs of the packet streams are 
moved close to each other without intersecting each other, (see column 6, lines 7 - 15) 
and wherein the communications sensor sends out a predetermined alert according to a 
similarity value calculated by the similarity calculator. ( (see column 4, lines 64 - 66; 
column 8, lines 23-39, 57 - column 9, lines 1 -5). 
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1 column 6, lines 7-15, and column 4, lines 64 - 66; column 8, lines 23 - 39, 57 - column 9, lines 1 

2 -5, shows that Porras fails to teach or anticipate any graph, anything like a "step of performing 

3 matching between the packet streams, the first and second packet streams are represented by 

4 graphs which depict increments of sequence numbers of communications packets in respective 

5 packet streams with respect to elapsed time and the similarity between the two packet streams is 

6 calculated based on size of regions enclosed by the two graphs when the graphs of the packet 

7 streams are moved close to each other without intersecting each other, and Porras fails to teach or 

8 anticipate any graph, anything like a "step of calculating the similarity between the packet 

9 streams, information used in determining the similarity is discarded according to time-axis lengths 
10 of the regions enclosed by the two graphs." Thus, Claim 20 is not anticipated by Porras and is 



1 1 allowable over Porras for itself and because it depends on an allowable claim. 

12 It is anticipated that this brings allowance of claims 1-20. Please contact the undersigned if any 

13 question remains. Please charge any fee necessary to enter this paper to deposit account 50-0510. 

14 Respectfully submitted, 

15 By: /Louis Herzberg/ 

16 Dr. Louis P. Herzberg 

17 Reg. No. 41,500 

18 Voice Tel. (845) 352-3194 

19 Fax. (845) 352-3194 

20 3 Cloverdale Lane 

21 Monsey, NY 10952 

22 Customer Number: 54856 
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